1. Technical Field of the Invention
The present invention relates to network security and, in particular, to an integration of a firewalling functionality, intrusion detector functionality and network discovery functionality to provide for a unified network defense structure.
2. Description of Related Art
Over the past few years, Internet usage has grown rapidly as an increasing number of computer users connect to the information super-highway. With Internet usage becoming more prevalent, enterprises are increasingly using the Internet to conduct their business. Enterprises are also exploiting the world-wide networking advantages of the Internet by connecting their internal networks to the Internet, thereby expanding their operations, facilitating communications within the enterprise, enabling e-commerce and transaction processing, and communicating with customers, suppliers and business partners. Connection to the Internet may be made at any one of a variety of access points, including major corporate offices, branch offices, remote user locations, Internet data centers and e-business Web sites.
While Internet usage is increasing, the access speed at which individuals and enterprises connect to the Internet is also increasing. Consumers and smaller enterprises are shifting from dial-up modem connections to broadband connections, using cable or digital subscriber line, or DSL, modems. These broadband connections enable users to access the Internet at speeds up to 20 times faster than a dial-up modem. Similarly, larger enterprises are moving from T1 connections and T3 connections to higher speed OC-3 connections and gigabit Ethernet connections. Web site connection speeds are also increasing as many Web sites, which were originally operated from an enterprise's own facilities, have been outsourced to Internet data centers, which deliver higher bandwidth connections.
As enterprises increasingly use the Internet to conduct business, the amount of confidential and sensitive information that is delivered over, and is accessible through, the Internet is also increasing. Unlike the private, dedicated communications networks that enterprises have used for business for the last several decades, which were relatively secure from outside intruders, the Internet and networks connected to an enterprise are susceptible to security threats and malicious eavesdropping due to their openness and ease of access. Recently, there has been an increase in the frequency of attempted breaches of network security, or hacker attacks, intended to access this confidential information or to otherwise interfere with network communications.
Network attacks are becoming not only more prevalent but also more sophisticated and severe, resulting in part from the availability of tools and information on how to conduct these attacks, an increase in hacker sophistication, an increase in the number of network access points that are vulnerable to attack and an increase in the overall amount of confidential information accessible through or delivered over the Internet. These attacks include distributed denial of service attacks, in which an attacker floods a Web site with large numbers of packets or connection requests that overwhelm the Web site and prevent legitimate users from accessing it. Other types of attacks are designed not just to prevent access to a Web site, but also to penetrate its security and allow a hacker to take control of a server and deface the Web site or steal sensitive information. Still other attacks include malicious eavesdropping, which allows a hacker to misappropriate confidential communication transmitted over the Internet. If confidential communications get into the wrong hands, damage to the business of the enterprise or, at the very least, damage its reputation may arise. There is also a significant cost and negative publicity resulting from denial of service attacks. In an attempt to combat all of these types of attacks, enterprises have been increasing their security budgets to address heightened network vulnerability concerns.
To prevent network security breaches, enterprises have deployed firewalls at the access points where their networks connect to the Internet or other networks. Firewalls are hardware or software devices that filter the content that flows into and out of an enterprise's network. The firewall is designed to block unauthorized access to the network, allowing only connections that are approved by the network administrator. However, because of the increased sophistication of hackers, and the existence of automated attack tools, firewalls alone have proven to be inadequate measures to fully protect many networks. Consequently, many enterprises have been compelled to add additional network security systems, including intrusion detection systems (IDSs) and vulnerability assessment scanners (VASs). Both the IDS and VAS assess the vulnerability of a network to attack. Intrusion detection systems are designed to expose intruders, break off the intrusion, examine the intruder's point of entry and prevent future intruders from using the same entry point. Vulnerability assessment scanners, on the other hand, are designed to discover vulnerabilities of a network system, allowing network managers to find and patch network security holes before they are discovered by hackers.
The first generation of firewalls, intrusion detection systems and vulnerability assessment scanners generally were designed to secure low bandwidth connections to the Internet. As network connection speeds have increased, these early types of security products have created significant performance bottlenecks in networks, slowing down connection speeds.
As the security needs of enterprises continued to evolve, the single-function low speed firewall, IDS and VAS products are no longer capable of cost-effectively meeting the performance and manageability needs of organizations. To deploy a complete firewall, intrusion detection system and vulnerability assessment scanner solution, an enterprise often must purchase a series of separate, expensive devices and license expensive security software, often from multiple vendors, which do not communicate with each other and cannot be interfaced with one management console system. This can result in a network security architecture that is more expensive and complex to install and manage and, as a result of this increased complexity, potentially less secure than a network that is based on a single vendor's products or an integrated solution. More specifically, enterprises have found it difficult, if not impossible, to integrate the firewall, IDS and VAS solutions together. Most security appliances require an enterprise to reconfigure network addressing to insert the appliances into its network and also require the enterprise to compromise network design in ways that reduce redundancy and, therefore, network reliability. Many times these issues have led to a significant decrease in the enterprise's network connection speed as more devices are added to the network.
An enterprise requires a broad array of high-performance, cost-effective products to secure their networks. To reduce cost and network complexity, the enterprise must increasingly look for high-performance network security solutions that can integrate firewall, IDS and vulnerability assessment capabilities into one system or appliance. It is also clear that entities desire a comprehensive network security solution from a single vendor that can scale from low-bandwidth connections to high bandwidth connections while delivering very high-speed network performance and availability. In response to this preference, existing security vendors have started to include additional capabilities in their single-function products. However, these products were not originally designed to deliver multiple functions and, as a result, the addition of these functions tends to decrease both product and network performance and increase product complexity as well as significantly increase cost.
The present invention addresses the foregoing and other concerns with a single vendor solution that integrates the functionalities performed by a firewall, IDS and VAS for network security into one system or appliance supported on a single platform.